STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 5 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← All Controls

SA-4

System and Services AcquisitionRev 3

Acquisition Process

CCI Identifiers (21)

CCI-000619The organization includes security functional requirements/specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.CCI-000620The organization includes security-related documentation requirements, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.CCI-000621The organization includes developmental and evaluation-related assurance requirements, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.CCI-003094Include the security functional requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the system, system component, or system service.CCI-003095Include the strength of mechanism requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.CCI-003096Include the security assurance requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.CCI-003097Include the security documentation requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.CCI-003098Include the requirements for protecting security documentation, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.CCI-003099Include the description of the system development environment and environment in which the system is intended to operate, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.CCI-003100Include the acceptance criteria, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.CCI-004686Defines the organization-defined contract language for including the requirements, descriptions, and criteria in the acquisition contract for the system, system component, or system service.CCI-004687Include the privacy functional requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.CCI-004688Include the privacy assurance requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.CCI-004689Include the controls needed to satisfy security requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.CCI-004690Include the controls needed to satisfy privacy requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.CCI-004691Include the privacy documentation requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.CCI-004692Include the requirements for protecting security documentation, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.deprecated CCI-004693Include the requirements for protecting privacy documentation, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.CCI-004694Include the allocation of responsibility or identification of parties responsible for information security, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.CCI-004695Include the allocation of responsibility or identification of parties responsible for information privacy, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.CCI-004696Include the allocation of responsibility or identification of parties responsible for supply chain risk management, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.

Linked STIG Checks (0)

No STIG checks reference this control.